Slawomir Stec

Load testing with artillery tool

It may look a little strange that I incorporated load tests into the application with so few functions. I had few reasons for doing that. Here is my explanation.

Firstly, I wanted to test out the artillery tool/load test framework:

https://artillery.io/

Secondly, this is a serverless application. I focused from the beginning on services that I add to the stack, their initial limits and the total number of users I thought I need to handle. I wanted to know how far I can push the stack I created. For this, I needed load testing tool to fire a specified number of requests against the app.

One more reason for adding load tests. It is useful in finding issues with the provisioned stack. For instance, I found that the parameter store was limited when I fired too many lambda functions in a short amount of time. So I've decided to replace it with environment variables. There is a lot of AWS blogs and books that give answer for most of the question you can think of. Sometimes it is easier to test it yourself instead of investing your time into long google sessions. And very often you don't know what you don't know, load tests can give you some data to think about.

Below a sample artillery configuration that I created for the application load tests. I configured one flow that match more and less what you can click through the UI. You can login, receive JWT, fetch todo items and dashboard. This was quite easy to configure.

One problem I faced was google captcha that is integrated for all unauthenticated routes. I decided to keep it enabled and implement logic to skip captcha inside the Cloudflare Worker. For that I defined secret key 'PyAws-Admin-Access-Secret' and flag with capability name to enable 'PyAws-Admin-Access-SkipCaptcha'. I pass this data via HTTP headers. The worker instance checks a condition and skip captcha validation if secret match the one provided in the artillery config. The secret is provided to the Worker via PyAWS CLI on deploy time.

This is straightforward setup and I didn't have to add special conditions to disable the captcha for some hosts. I don't like to add such conditions because it is easy to forget to remove them or accidentally disable captcha check completely for prod. As this is serverless application, it must be protected against scripted attacks.

To test it out you need to install it with npm: npm install -g artillery

To execute testcase from test.yaml scenario: artillery run test.yaml

Output of the command is presented on the top picture. The artillery CLI will refresh status of all running scenarios, with response times and success/failure rates. Works really nice.